Cybersecurity Policy Making at a Turning Point: Analysing a New Generation of National Cybersecurity Strategies

This report analyses the latest generation of “national cybersecurity strategies” in ten countries and identifies commonalities and differences.

This comparative analysis reveals that cybersecurity policy making is at a turning point. In many countries, it has become a national policy priority supported by stronger leadership. A single definition of cybersecurity cannot be derived from these strategies. Nevertheless, all new strategies are becoming integrated and comprehensive. They approach cybersecurity in a holistic manner, encompassing economic, social, educational, legal, law-enforcement, technical, diplomatic, military and intelligence-related aspects. “Sovereignty considerations” have become increasingly important.

The new generation of national cybersecurity strategies aims to drive economic and social prosperity and protect cyberspace-reliant societies against cyber-threats. This has been a traditional area of interest for the OECD, going back to the 1992 Guidelines for the security of information systems. A key challenge of cybersecurity policy making today is to pursue these two objectives while preserving the openness of the Internet as a platform for innovation and new sources of growth.

The report examines the various commonalities and differences in the strategies and compares the main characteristics of governments’ action plans. In addition, it highlights suggestions by business, civil society and the Internet technical community, for example with respect to security-related barriers to trade that could inhibit innovation and global deployment of cost-effective security solutions. The full text of the contribution of non-governmental stakeholders to this work is also available.

The report calls for further analysis of the intersections between economic, social and sovereignty cybersecurity policies and points out the opportunity for countries to extend their national co-ordination agency as an international contact point to facilitate co-operation on cybersecurity at policy and operational levels.